Budget airline Ryanair has reacted with indignation to suggestions that its booking system ought to be more secure.
While most airlines only allow modifications to bookings once a passenger has verified themselves using a password and booking reference, Ryanair adopts a lower standard. German newspaper Der Tagesspiegel found …

No sympathy.

Some of us just don't have a choice

There's simply no competition on some routes, thus making ryanAir almost compulsory.

That doesn't make us, its users, cheapscapes, or less deserving of good, friendly customer services and travelling in relative comfort and stress free environment, none of which is applicable to travelling with ryanAir at the moment.

A case of speaking too soon then

There's no evidence that miscreants have subverted Ryanair's booking system

Ha-Ha.

Now that the exploit is wekk known thans to EL Reg then I'd expect that jhonny crim will be up to no good very soon.

Kudos to El Reg. Ryan-I-will-get-round-to-charging-you-for-the-air-that-you-breath-Air are by a long way the worst airline I've ever had the misfortune to fly with. It takes a lot to beat some of the ex-Areoflot routes I flew in the early 1990's.

It's an excellent site

Ryanair won't give a damn about this

If your booking is modified they will assume it was your fault for giving out your account details. If it is then possible to change the booking back they will charge you a re-booking fee. If your booking is not modified then no harm no foul. Either way it is better for their bottom line - they make more out of the punters or they save money on hiring web developers.

In reality no-one actually chooses to fly with Ryanair. people who use Ryanair either do so because there is no-one else flying from their local airport to their chosen destination or because they are unable / unwilling to pay the extra money other airlines charge. Ryanair have already lost all the customers it is possible for them to lose so why should they bother about this?

Indeed

Better than National Geographic

The National Geographic website only needs your subscription number in order to access your account settings. This would be the account number that is printed on the shipping label of every issue I receive. Granted, the scope for mischief is somewhat smaller, but it would appear that you can do things like change the delivery address this way.

I contacted their customer support to express my concerns only to receive a rather generic response that they would take the comments in to consideration. In comparison Ryanair's security methods seem positively robust.

The title is required, and must contain letters and/or digits.

The ICO are useless when it comes to data protection. Just look at the way BT sent their customer details to ACS:Law in an unecrypted and unsecure format despite a court order and the ICO's complete lack of action as a result.

Thinking that the ICO will actually do their job is pointless since they've already refused on multiple occasions now to do it. It's just a pity that it's not one of those quangos on Cameron's hit list.

possible != probable

So there's a possibility (Q: has it ever, actually happened) that a bad person could change the details of a fliers booking, or cancel it. So, apart from doing mischeif what the hell would be the point? There's no possibility the bad person could make a financial gain for themselves from this - which therefore rules out 99.9 ... percent of the motivation for doing bad things to other people via the internet.

At best the miscreant would cause an unknown amount of inconvenience to a person they've never met. [If the target was someone they knew, they would surely have more direct ways of annoying them and could use their knowledge of that person to much greater effect].

So, yes. In theory this sort of activity may be possible. In practice the reasons for doing so would be so slight that an argument could be put that the person doing it had a mental health problem. In the real world it would be interesting to hear if there were any stories of this happening - either proven or even hearsay, to let us quantify the actual size of the problem.

you're missing the point

Reasons for doing so...?

You're right, that's ridiculous. Why would anybody want to do that? That's almost as silly as sending out billions of email messages advertising for Viagra or online poker sites. What's the point? Nobody would do that.

The title is required, and must contain letters and/or digits.

Mas cancellations would be one thing competitors might be interested in doing, or perhaps even unhappy employees that think their own company is taking the piss might try. Think BA and BASSA for example, or BA and Virgin (if memory serves BA were found guilty in a court of law of persuing a dirty tricks campaign against Virgin some years ago - poaching Virgin customers was apparently one of the tricks used). Make the mechanism for viewing a booking too simple and this sort of tactic becomes possible. After all, with Ryanair if all that's needed is the email address then a bot could go through and try different values until one or more is accepted.

It could cause quite a few financial problems for the company concerned if they suddenly faced a large number of mysterious cancellations and had to pay back all the money associated with those trips. There's also the damage to the reputation of the company to take into account when they have to face the customers that didn't know this had happened (and for all we know could turn up at the terminal thinking they still had a flight to catch).

British Airways are almost as bad

They just send out an email with a hyperlink to the booking. Anybody who has been forwarded that email for whatever reason can change the booking. If anybody else manages to access the message then they can make changes too. The web page itself once you go to it is not protected in any way beyond the security-by-obscurity of having to know the exact URL. Once you're in, you're in and can make pretty much whatever changes you want to.

It's not just RyanAir

A lot of airlines have 'login' systems for flight modifications that those of us with an understanding of how it should be done would turn our noses up at. Normally all you need is the record locator and perhaps the passenger surname which admittedly isn't as poor as the email/date/origin example in the article but it isn't exactly what you'd consider a strong password either - they're typically 6 character alpha-numeric codes.

Last year, my mother flew BA to visit me. To make sure I had the right flight numbers, arrival times, etc, she forwarded the itinerary email which contained a direct link to edit her booking (no login required) and do anything from the silly like order a special meal to the serious like cancellation, modifications and entering passport numbers, etc. You'd think that the airline would be smart enough to separate the itinerary (which they must realise some people are going to forward) and the account/e-ticket information into separate emails.

You'd think in this day and age (and I mean of computer security not 'terr-ists') that they'd have a clue about how to write a login system but I guess not?

Ryanair charge for changes

This isn't really too much of an issue as Ryanair require you to enter card details to make any changes to the booking (even cancelling or name changes). And it doesn't get automatically charged to the card used.

Worst someone can do (for free) is checkin for your flight for you with incorrect passport details (still against your name). (Which to be honest I doubt are checked properly by ryanair anyway).

Seems a hell of a lot to go through just to cause someone a minor bit of hassle?

Uh, BA

British Airways only require the booking ref and passenger's surname to access a booking. OK, I don't think you can add any paid-for items without having to pay for them there and then but still, seems a bit double standards to me, even though like all sane people I too detest Ryanair.

and for the flight plan

Lost your res info? No problem, just contact ...

U.S. Homeland Security as they get everything about you and your flight including e-mail address(es), credit card numbers, passport number and DOB, meal preferences, seat assignment info, frequent flyer card numbers, home address and telephone number, cell number (if used anywhere in flight process), etc.

They draw down credit bureau info, too. Hotel reservations, other transportation details booked through any res system is also fully accessible to them.

WTF??

What the flup is with all the ryanair hostility? Before they came along, Aer Lingus and BA had no qualms what so ever, charging a 700 GBP to fly all the way from Dublin to London. Now you can fly between the 2 cities on a range of airlines for less than the price of a good night out. Thank you Ryanair for doing that.

I flew home last week with Aer Lingus and spent the week before worrying if they would be on strike the day I flew out and spent half my holiday worrying whether they would still be on strike when it was time to fly back.

Ryanair bashing has become the new 'cool by keyboard warriors, but at the end of the day, it just makes the poster come off like a wanker.

As has been pointed out, any changes to the booking require the person to enter the credit card details, which means all the attacker actually gains is the time and flight number the person is flying on, hardly the hack of the century.